The National Information Technology Development Agency (NITDA) has placed a N10m fine on an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion.
The agency also disclosed that the criminal aspects of the investigation has been deposited with the Police to determine if the executives of the company are liable to imprisonment for violating Section 17 of the NITDA Act, 2007.
Mrs Hadiza Umar, Head, Corporate Affairs and External Relations of NITDA, said this in a statement on Tuesday in Abuja.
Umar said the action was taken following series of complaints against the company for unauthorised disclosures, failure to protect customers’ personal data, defamation of character and violating the provisions of the Nigeria Data Protection Regulation (NDPR).
According to her, one of such complaints filed by Bloomgate Solicitors on behalf of its client, the data subject, was received on Monday, Nov. 11, 2019, which prompted the agency to investigate the claims.
Umar explained that Soko Loans granted its customers uncollateralised loans which required a loanee to download its mobile application on the phone and activate a direct debit in the company’s favour.
“In such manner, the application gains access to the loanee’s phone contacts,” she said.
According to one of the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy-invading messages to the complainant’s contacts.
She said NITDA’s investigation revealed that the complainants’ contacts who were neither parties to the loan transaction nor consented to the processing of their data had confirmed the receipt of such messages.
The agency also made efforts to get Soko Loan to change the unethical practise but to no avail. She added that following the investigation, it secured a lien order on one of the company’s accounts by which it could come up with privacy-enhancing solutions for its business model.
Umar said instead, Soko Loan decided to rebrand and direct its customers to pay into its other business accounts.
She said: “The agency’s investigation further revealed that the company embeds trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis.
“NITDA has, therefore, found Soko Loan and its entities in violation of use of non-conforming privacy notice, contrary to the content of the NDPR, insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR.”
It said the company was involved in “illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR, unwillingness to cooperate with the Data Protection Authority, contrary to Article 3.1 (1) of Data Protection Implementation Framework and non-filing of NDPR audit reports through a licensed Data Protection Compliance Organisation (DPCO).
“In view of the foregoing and in consideration of its implication on the privacy of Nigerians and erosion of trust in the digital economy, NITDA hereby imposes a monetary sanction of N10 million on Soko Lending Company Ltd.
“NITDA also directs that no further privacy-invading messages be sent to any Nigerian until the company and its entities show full compliance with the NDPR.”
She said the agency also directed the company to pay for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO on its operation and placement on a mandatory IT and Data Protection oversight for nine months.
Umar clarified that the incriminating aspects of the investigation were deposited with the Nigerian Police to determine if the executives of the company were liable to imprisonment for violating Section 17 of the NITDA Act, 2007.
She, however, reminded all Nigerian businesses and data controllers of their obligation to engage NITDA-licensed DPCO to guide them toward compliance with the data protection law.
Umar reiterated that the agency was committed to fully enforcing the NDPR with the aim of sanitising the operating environment, instilling confidence in the digital economy and protecting the right to data privacy of Nigerians.
She recalled that the agency issued the NDPR as Nigeria’s first comprehensive framework for the protection of personal data. She said the regulation provided the principles, framework, and protection and processing of personal data of Nigerians and residents.